In most any electronic transaction, such as for example a bank transaction, a retail transaction, a data-access transaction, or the like, a user obtains access to some protected account or space or the like by way of entering a user identification (ID) and a password as authentication that the user is in fact entitled to such access. However, it is well known that employing only a password is a relatively weak method of authenticating a user. In particular, a password seldom expires and can be relatively easy to guess, especially if rules on constructing such a password are relatively weak. Moreover, even if well-constructed, a password can be stolen, and the stolen password can be widely distributed along with the corresponding user ID and used by almost anyone, perhaps with disastrous consequences for the user.
In contrast to such weak authentication, it is known to employ strong authentication by requiring submission of not only a user ID and a password, but also a token value generated by an item provided to the user. That is, such strong authentication requires something the user knows, which is the password, and something the user has, which is the item that generates the token value. Presumptively, the item is unique to the user and the token value as generated by the item of the user is unique to that item and thus cannot be generated by any other item. Also presumptively, the token value can be verified based on knowledge of the user and the item thereof. Accordingly, the token value upon being verified strongly implies that the user that provides the token value is in fact in possession of the item and correspondingly is in fact entitled to whatever access is being requested.
One such system for implementing such strong authentication is RSA SECURID two-factor authentication as marketed and provided by RSA Security Inc. of Bedford, Mass. In such RSA system, the token value is generated and displayed for each user by a small authenticator device that has been assigned to the user. In particular, such authenticator device is used only in connection with such RSA system, contains a very accurate clock and has a unique ID, and generates a new token value every minute as a one-way hash of the current minute and the unique ID. Thus, an authentication server determining whether to allow a user access to an electronic system for some sort of electronic transaction receives a user ID, a password, and a current token value from the user, and based thereon strongly authenticates the user by ensuring: (1) that the received password is correct for the received user ID, which shows that the user knows something and (2) that the received current token value is independently generated, which shows that the user has something.
In particular, and with regard to (2) above, the authentication server based on the user ID can identify the unique ID of the authenticator device that is assigned to and should be possessed by the user having such user ID, and the authentication server also has a very accurate clock. Thus, just as the authenticator device generated the received token value as a one-way hash of the current minute and the unique ID, so too does the authentication server attempt to do so. Assuming both clocks provide the same current minute value and the proper unique ID is identified, the same token value as the received current token value should be generated by the authentication server, thus resulting in a match. Of course, to allow for some drift in the current times, the authentication server may generate hashes for some number of minutes plus and minus what such authentication server has as the current minute, and any of such minutes that results in a match is accepted.
An authentication system that implements strong authentication by way of using such system-specific authenticator devices has been found to be highly secure, especially inasmuch as only that user with an assigned authenticator device having a particular unique ID can submit an acceptable token value for any particular current minute. However, it has been found that an authentication system that employs such system-specific authenticator devices is relatively expensive. In particular, such an authentication system requires extra infrastructure, both to assign the authenticator devices to the users and to keep track of the assigned authentication devices, and also to provide the accurate clocks. Also, and more significantly, the cost of such an authentication system increases for each user added to the system, especially inasmuch as each user requires his or her own authenticator device which currently costs approximately 60 USD.
Such cost may be relatively insignificant if the number of users is on the order of 100 (about 6000 USD), such as for example in an authentication system that provides access for employees of an organization to data servers of the organization over an inter-computer network such as the Internet. However, such cost can become excessive if the number of users is on the order of 1 million (about 60 million USD), such as for example in an authentication system that provides access for account holders to financial accounts at a large bank or the like over an inter-computer network such as the Internet. Moreover, such cost only increases when it is considered that the authenticator devices have to be replaced on a regular basis due to loss, damage, theft, and battery life. Further, such cost likely must be borne by the issuer of the authenticator devices and not the users, and thus can become a large budgetary expense.
Accordingly, a need exists for systems and methods for performing strong authentication in connection with an electronic system that performs electronic transactions for users, where a system-specific authenticator device need not be issued to each user of the electronic system. More particularly, a need exists for such systems and methods that employ as an authenticator device for each such user an electronic device already in possession of the user, such as for example a cellular telephone device, a paging device, a messaging device, or the like.